On Mon, 2008-08-25 at 14:17 +0400, Dmitry E. Oboukhov wrote: > NW>>> An attacker would be insane to select this example as a > NW>>> vehicle. > NW>> > NW>> Attacker can use many ways (all variants from this list, for ex), one of > NW>> its can work. Why you think that this variant is not work? > > NW> Because it is in the documentation, not the script. Didn't you read the > NW> reply? It is not a route of attack, it is AN EXAMPLE in the > NW> documentation!
> This script marked as executable. > User can start its. Dimtry, please read the replies I've already sent. This is embedded documentation within an executable script. The documentation is stripped from the script by the perl interpreter before compilation. This is a standard method of combining documentation into perl scripts called POD and it is not a security risk!!! Think of POD as if it was /* foo */ in a C source file. It is excluded from the compilation of the script by the perl interpreter, it is available to perldoc and pod2man scripts to generate documentation. It is NOT executable. > if it is an example, please chmod a-x to it ;) It is an example in POD documentation. POD documentation is included in the script but it is NEVER executed. =head1 foo =cut Anything between the POD markers is NOT executable. There is absolutely NO way that the user can execute the contents of a POD block without copying and pasting to their own script. -- Neil Williams ============= http://www.data-freedom.org/ http://www.nosoftwarepatents.com/ http://www.linux.codehelp.co.uk/
signature.asc
Description: This is a digitally signed message part